Link Search Menu Expand Document
Cybersecurity Research

This is the mobile-friendly web version of the original article.

Securing Cyber Assets - Addressing Urgent Cyber Threats to Critical Infrastructure

NIAC

The President’s National Infrastructure Advisory Council

Securing Cyber Assets

Addressing Urgent Cyber Threats to Critical Infrastructure

August 2017

  1. Table of Contents
  2. About the NIAC
  3. Executive Summary: Imperative Takeaways
    1. Our Assessment
    2. Recommendations

Table of Contents

  • Executive Summary: Imperative Takeaways
  • Introduction
    • Our Task
    • Our Assessment
  • Recommendations and Supporting Findings
  • Moving Forward: Fundamental Change
  • Appendix A. Study Methodology
  • Appendix B. Acknowledgements
  • Appendix C. Urgency of Cyber Threats to Critical Sectors
  • Appendix D. National Cyber Governance: United Kingdom and Israeli Models
  • Appendix E. References

About the NIAC

The President’s National Infrastructure Advisory Council (NIAC) is composed of senior executives from industry and state and local government who own and operate the critical infrastructure essential to modern life. The Council was established by executive order in October 2001 to advise the President on practical strategies for industry and government to reduce complex risks to the designated critical infrastructure sectors.

At the President’s request, NIAC members conduct in-depth studies on physical and cyber risks to critical infrastructure and recommend solutions that reduce risks and improve security and resilience. Members draw upon their deep experience, engage national experts, and conduct extensive research to discern the key insights that lead to practical federal solutions to complex problems.

For more information on the NIAC and its work, please visit: https://www.dhs.gov/national-infrastructure-advisory-council.

Executive Summary: Imperative Takeaways

Our review of hundreds of studies and interviews with 38 cyber and industry experts revealed an echo chamber, loudly reverberating what needs to be done to secure critical U.S. infrastructure against aggressive and targeted cyber attacks. Cyber is the sole arena where private companies are the front line of defense in a nation-state attack on U.S. infrastructure. When a cyber attack can deliver the same damage or consequences as a kinetic attack, it requires national leadership and close coordination of our collective resources, capabilities, and authorities.

Our Assessment

The National Security Council (NSC) tasked the President’s National Infrastructure Advisory Council (NIAC) with examining how federal authorities and capabilities can best be applied to support cybersecurity of high-risk assets. We reviewed a comprehensive dataset of more than 140 federal capabilities and authorities, demonstrating impressive depth and complexity of federal resources.

We believe the U.S. government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber attacks—provided they are properly organized, harnessed, and focused. Today, we are falling short.

Recommendations

The challenges the NIAC identified are well-known and reflected in study after study. There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack to organize effectively and take bold action. We call on the Administration to use this moment of foresight to take bold, decisive actions:

  1. Establish SEPARATE, SECURE COMMUNICATIONS NETWORKS specifically designated for the most critical cyber networks, including “dark fiber” networks for critical control system traffic and reserved spectrum for backup communications during emergencies.

    • ACTION REQUIRED BY: U.S. Department of Energy (DOE), U.S. Department of Homeland Security (DHS), Office of the Director of National Intelligence (ODNI), U.S. Department of Defense (DOD), NSC, and the Strategic Infrastructure Coordinating Council (SICC) (Electricity, Financial Services, and Communications)

  2. FACILITATE A PRIVATE-SECTOR-LED PILOT OF MACHINE-TO-MACHINE INFORMATION SHARING TECHNOLOGIES, led by the Electricity and Financial Services Sectors, to test public-private and company-to-company information sharing of cyber threats at network speed.

    • ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, and the SICC

  3. Identify best-in-class SCANNING TOOLS AND ASSESSMENT PRACTICES, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis.

    • ACTION REQUIRED BY: NSC and DHS

  4. Strengthen the capabilities of TODAY’S CYBER WORKFORCE by sponsoring a public-private expert exchange program.

    • ACTION REQUIRED BY: NSC, DHS, and Congress

  5. Establish a set of LIMITED TIME, OUTCOME-BASED MARKET INCENTIVES that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.

    • ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, Congress, and the SICC

  6. Streamline and significantly expedite the SECURITY CLEARANCE PROCESS for owners of the nation’s most critical cyber assets, and expedite the siting, availability, and access of Sensitive Compartmented Information Facilities (SCIFs) to ensure cleared owners and operators can access secure facilities within one hour of a major threat or incident.

    • ACTION REQUIRED BY: DHS, ODNI, NSC, Federal Bureau of Investigation (FBI), U.S. Office of Personnel Management (OPM), and all agencies that issue/sponsor clearances

  7. Establish clear protocols to RAPIDLY DECLASSIFY CYBER THREAT INFORMATION and proactively share it with owners and operators of critical infrastructure, whose actions may provide the nation’s front line of defense against major cyber attacks.

    • ACTION REQUIRED BY: NSC, DHS, ODNI, FBI, and the Intelligence Community

  8. PILOT AN OPERATIONAL TASK FORCE OF EXPERTS IN GOVERNMENT AND IN THE ELECTRICITY, FINANCE, AND COMMUNICATIONS INDUSTRIES—led by the executives who can direct priorities and marshal resources—to take decisive action on the nation’s top cyber needs with the speed and agility required by escalating cyber threats. (See explanatory chart on page 16.)

    • ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, the SICC, DOD, U.S. Department of the Treasury (Treasury), and U.S. Department of Justice (DOJ)

  9. USE THE NATIONAL-LEVEL GRIDEX IV EXERCISE (NOVEMBER 2017) TO TEST the detailed execution of federal authorities and capabilities during a cyber incident, and identify and assign agency-specific recommendations to coordinate and clarify the federal government’s response actions where they are unclear.

    • ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, and the SICC

  10. Establish an OPTIMUM CYBERSECURITY GOVERNANCE APPROACH to direct and coordinate the cyber defense of the nation, aligning resources and marshaling expertise from across federal agencies.

    • ACTION REQUIRED BY: DHS, ODNI, NSC, DOJ, DOD, and Congress

  11. Task the Homeland Security Advisor to review the recommendations included in this report and within six months CONVENE A MEETING OF SENIOR GOVERNMENT OFFICIALS to address barriers to implementation and identify immediate next steps to move forward.

    • ACT ION REQUIRED BY: Homeland Security Advisor

The time to act is now. As a nation, we need to move past simply studying our cybersecurity challenges and begin taking meaningful steps to improve our cybersecurity to prevent a major debilitating cyber attack.

Our nation needs direction and leadership to dramatically reduce cyber risks. The NIAC stands ready to continue to support the President in this area.

Table of contents